Uploaded image for project: 'MariaDB Connector/J'
  1. MariaDB Connector/J
  2. CONJ-1166

Implement connection properties fallbackToSystemKeyStore and fallbackToSystemTrustStore

    XMLWordPrintable

Details

    • New Feature
    • Status: Closed (View Workflow)
    • Minor
    • Resolution: Fixed
    • 3.3.2
    • 3.4.0
    • authentication
    • None
    • Server: MariaDB Community 10.11.6 LTS - O.S: Ubuntu 22.04
      Client: MariaDB Connector Java v3.3.2

    Description

      During authentication, even if a user was not created with "REQUIRE X509" keywords, the 2-way SSL authentication using client certificates is attempted nonetheless if:

      • the client has got a client certificate set with the system property javax.net.ssl.keyStore AND
      • the client certificate was issued by a CA trusted by the MariaDB server.
        If the attempt fails, as it will if the system keyStore was set for reasons other than the authentication with MariaDB server, it produces an handshake failure, resulting in the authentication being aborted, thus not being able to authenticate using native password.
        In recent versions of MySQL Connector (8.0.22+), a workaround for this issue was introduced with the client connection property fallbackToSystemKeyStore (and fallbackToSystemTrustStore). See also this MySQL bug.

      javax.net.ssl|DEBUG|0A|Thread-0|2024-03-21 15:17:30.603 CET|CertificateRequest.java:979|Consuming CertificateRequest handshake message (
      "CertificateRequest": {
        "certificate_request_context": "",
      [...]
      javax.net.ssl|DEBUG|0A|Thread-0|2024-03-21 15:17:30.936 CET|Finished.java:673|Produced client Finished handshake message (
      "Finished": {
        "verify data": {
          0000: 88 EC 90 11 87 1E 8D 5B   EA 74 7F 94 E6 A8 24 7D  .......[.t....$.
          0010: 08 24 27 37 08 12 7D 9C   28 4F FB 28 9C 10 5F EC  .$'7....(O.(.._.
          0020: 14 A4 8F 42 89 17 6A F3   F4 92 03 0E 5F 8F DF D2  ...B..j....._...
        }'}
      )
      javax.net.ssl|WARNING|0A|Thread-0|2024-03-21 15:17:30.953 CET|SSLSocketImpl.java:1658|handling exception (
      "throwable" : {
        java.net.SocketException: Broken pipe (Write failed)
        	at java.base/java.net.SocketOutputStream.socketWrite0(Native Method)
        	at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:110)
        	at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:150)
        	at java.base/sun.security.ssl.SSLSocketOutputRecord.flush(SSLSocketOutputRecord.java:271)
      

      Steps to reproduce:

      1. setup server with an ssl certificate issued by a CA
      2. generate a client ssl certificate issued by the same CA
      3. create a user without using "REQUIRE" keywords, or with "REQUIRE SSL" keyword, but not "REQUIRE X509"
      4. create an jdbc connection specifying as system property javax.net.ssl.keyStoreType the path to the keystore containing the client certificate

      Possible workarounds:

      • unset system property javax.net.ssl.keyStoreType -> not feasible if client certificate authentication must be used in other scopes by the same application
      • use a different CA certificate for the server or the client certificate -> works, but it is a restriction

      Thanks in advance for looking at this.

      Attachments

        Activity

          People

            diego dupin Diego Dupin
            lubuet Luca Bueti
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.